Messages

[invert destination]

Hey nero355,

You're right, I did not see the "invert destination" option. Now I did check it and specified my firewall.

Thanks to you, I had a better look at it!

[Setup]

Hi,

I set up DNS enforcement on my OPNsense home network to force all devices through my local Unbound resolver (with blocklists), regardless of their configured DNS server.

Setup:

• LAN firewall rules: pass DNS to OPNsense, block DNS to anywhere else, block DoT (port 853)
• Destination NAT rule redirecting all port 53 traffic to OPNsense (self)

Problem:
Computers, VMs and Docker containers already using OPNsense as their DNS server started experiencing intermittent timeouts. The NAT redirect was intercepting their queries (already correctly destined for OPNsense) and creating a redirect loop.

Fix:
Added a "no redirect" NAT rule, matching DNS traffic already destined for OPNsense, before the destination NAT rule redirecting all port 53 traffic to OPNsense.

Final NAT order:

• No redirection for DNS already targeting OPNsense
• Redirect everything else to OPNsense

I tried different things and it does not work, even with "Type: Remote Host". I think I will try my chance with cron instead of Monit.

Hello,

I can't make something work and I don't know what is my error.

My provider changes sometimes my WAN IP address, and when it happens, my Internet connection stop working, and I have to manually reload the WAN interface in "Interfaces: Overview" to make it work again.
So it's a problem when I am not at home.

I want to automatically reload this interface when Internet is not available anymore.

I tried to use "Monit", but my configuration is not accepted.

Code Select Expand

Services: Monit: Settings: Service Tests Settings
Name: ping_failed_cloudflare
Condition: failed ping4 address 1.1.1.1 count 5 with timeout 5 seconds
Action: Alert

Services: Monit: Settings: Service Settings
Enable service checks: checked
Name: reload_wan
Type: Custom
Path: /usr/local/sbin/ifctl
Start:
Stop: /usr/local/sbin/ifctl -r opt2
Tests: ping_failed_cloudflare
Depends:
Description: Reload WAN interface if ping to Cloudflare DNS fail.
I can't save my "Service Settings - reload_wan" configuration, and here is the error message:

Test ping_failed_cloudflare with type Network Ping not allowed for this service type

How to make it work?

Thanks for your help!

In System: Settings: General, I have changed my domain to home.arpa.
And in System: Settings: Administration, I also had to check :
- Disable DNS Rebinding Checks
- Disable HTTP_REFERER enforcement check

[Edit] In fact, it's not working after flushing DNS cache. :/

AND, I lose Internet connection if I check Do not register system A/AAAA records in Services: Unbound DNS: General.

Thank you, Eric.

In my case, I don't access OPNsense from WAN, do you think it can request the public DNS before using the Unbound overrides from my LAN?

I just wanted to use a domain I own for all my services, to avoid the security advertisement of the self-signed certificates.

If I understand correctly, the proper way to configure my setup would be to assign OPNsense a different hostname or domain, using a local domain instead of the one I currently use, for example?

Not to sure to understand all at the moment, but I have some sleep to catch up. :p

Move the web UI to a port other than 443 and disable the HTTP --> HTTPS redirect.

Thank you Patrick, I did just that and added the port to the OPNsense HAProxy backend and it seems to work. Great!

OP, do you have your (System -> Settings -> General -> System -> Domain) set to "mydomain.com". If so, I think you may be confused because Unbound host overrides are not really true overrides - they are more like additional host records in the local DNS server. If you add a host override for "opnsense.mydomain.com", a DNS query for that would return that additional record BUT ALSO the default (automatically generated) system records for your firewall itself, and your browser may choose to use one of the default records.

It is exactly my situation. It sometimes use the Unbound DNS override, but almost all times the system DNS record.

You could potentially hack around this with (Services -> Unbound DNS -> General -> Do not register system A/AAAA records).

For now, I will try Patrick's solution. If I encounter some problem's with this setup, I will look into it, thanks.

I would caution a bit against convoluting admin access to your firewall, though - it may come back to bite you some day, when something goes wrong, and you can't easily get into your firewall to fix it.

In this case, I just have to use https://ip_address:port or https://opnsense.mydomain.com:port to bypass HAProxy. It's a simple home setup. But it's always great to have explanations to become more aware of weaknesses.
I also have ssh access with a key (no password).

Personally I think it's probably not a great idea to try to have "mydomain.com" resolve differently internally vs externally. I use "subdomain.lan" as my internal domain (I have a couple of locations, with different subdomains). Proxied stuff could still be accessed using "mydomain.com" URLs by enabling (Firewall -> Settings -> Advanced -> Reflection for port forwards). If your browser might be on the same LAN subnet as the proxy, you may also need "Automatic outbound NAT for Reflection", though that has the side-effect of making internal connections appear to come from the firewall's address, not the actual client's. I have my proxy in an isolated VLAN, which mitigates that issue, as well as being a bit more secure (I have firewall rules to control what the proxy host can access internally).

Yes, I wanted to use the same domain externally and internally, but it makes my HAProxy configuration more complex. I do not have much time to rethink my setup at the moment, but you're right, it would be more secure to use another subnet for all my servers.
Not sure to understand "reflection" now, but I will dig into it.
Thank you.

Hello,

I have a setup where my OPNsense router and firewall is also running Unbound DNS for internal name resolution. I am using an external HAProxy instance (on a VM) to handle reverse proxying and SSL termination for all my services, including the OPNsense Web UI.

• Unbound DNS on OPNsense has an override configured to redirect requests for the domain opnsense.mydomain.com to the IP address of the external HAProxy server.
• HAProxy has a valid Let's Encrypt certificate and is responsible for handling requests for opnsense.mydomain.com.
• The OPNsense Web UI is only accessible via LAN and is configured with the default self-signed certificate.

When I try to access the OPNsense Web UI using the domain name opnsense.mydomain.com from a device on my LAN:

• The request bypasses HAProxy and is answered directly by OPNsense because it identifies the domain as its own.
• This causes the browser to display a certificate error since OPNsense serves its self-signed certificate instead of routing the request to HAProxy, which has the Let's Encrypt certificate.

I need OPNsense to never respond directly to requests for its Web UI, even if it resolves the domain as pointing to itself. Instead, it should always forward these requests to HAProxy as defined in the Unbound DNS override.

How can I achieve that?

I look for only allowing the IP address of my HAproxy server in System: Settings: Administration, with DNS Rebind Check checked or unchecked, and using Listen Interfaces to only allow the IP address of my HAProxy server, but could only chose my LAN interface, and OPNsense and the HAProxy server are on the same LAN. So i am stuck here.

Thanks for your help!

Hi,

I tried to move from a Cloudflare-ddns Docker container to os-ddclient, but I can't make it work at the moment.

I have several domain names to update, on the same Cloudflare account, and my Cloudflare API token includes all zones of this account.

So each of my domain names is configured as such:
- Service: Cloudflare
- Username: <empty>
- Password: <cloudflare_account_api_token>
- Wildcard: unchecked (I only want to update my domain names, because I use CNAMES for subdomains)
- Zone: <example.com>
- Hostname(s): <example.com> (exactly like Zone)
- Check ip method: Interface
- Interface to monitor: WAN_832 (device: vlan0.832, like this configuration https://docs.opnsense.org/manual/how-tos/orange_fr_fttp.html)
- Force SSL: checked

I tried at first to update all my domain names in the same Cloudflare service, like what I was doing in a cloudflare-ddns Doker container, but I get a lot of errors. So I have separated the domain names like the configuration above, one entry for each, but I see no "Current IP", nor "Updated" in the Dynamic DNS service.

In the logs, I get the same Notice every five minutes:

Code Select Expand

2023-05-22T23:21:31 Notice ddclient[33961] 94731 - [meta sequenceId="3"] FAILED: Unable to obtain information for 'vlan0.83' -- missing ip or ifconfig command
2023-05-22T23:21:31 Notice ddclient[33961] 93072 - [meta sequenceId="2"] FAILED: Unable to obtain information for 'vlan0.83' -- missing ip or ifconfig command
2023-05-22T23:21:31 Notice ddclient[33961] 92075 - [meta sequenceId="1"] FAILED: Unable to obtain information for 'vlan0.83' -- missing ip or ifconfig command

Two things:
- the device is "vlan0.832", but the logs specified "vlan0.83", like if it is truncated
- my WAN_832 as an IPv4, but no IPv6. Only an IPv6 delegated prefix which is tracked by my LAN interfaces.

In the Cloudflare interface, the API-token is refreshed all fives minutes, so there is a communication.

Thanks for your help.

Hi Franco,

It works, thank you!

(Not possible to use the same IPv6, like "fe80::1/64", but it's sufficient to use an easy to remember address.)

It should be there already, check out Interfaces->Overview, it should display the link-local address. The address is deterministic, it's based on the interface's MAC address (EUI-64).

Yes, I want to use another, simplier, IPv6 link-local address. Like fe80::1/64. It is possible on Cisco routers for example.

Theoretically, fe80::1/64 is a perfectly legal address and you you be able to set it, but it does not seem to be possible from OpnSense GUI as a VIP.

You could modify the interface MAC in order to get another EUI-64 from that, but it contains ff:fe in the middle.

Ok, thank you.

I will look for a way to modify it in command line, but not sure if it is possible.

Hi!

First post here, thank you for this great firewall, which I am currently trying to configure for my needs with IPv6.

I was wondering if there is a way to modify, or add IPv6 link-local addresses for each of my LAN interfaces (fe80::XXXX:XXXX:XXXX:XXXX/64).

To simplify the gateway of my servers in theses LAN.

Thanks!